[CentOS] netflow colelction and analysis
Timo Schoeler
timo.schoeler at riscworks.net
Sun Dec 6 22:48:45 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
thus Alan McKay spake:
> On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale
> <JCasale at activenetwerx.com> wrote:
>> Anyone got a reco on a package that can collect netflow data and accept user defined queries
>> for specific data, like what an ip did every hour for some said interval?
>
> well, collecting is pretty easy of course - tcpdump.
> And you can load the files into wireshark to query.
>
> Though it is probably not just what you want.
>
> In my old job I set up a sniffer appliance which basically ran
> tcpdump on any interface except the main interface, and logged it all
> in circular log files of a certain size. And the directory where
> these were kept were served out via the web server so that anyone
> could surf to the box and grab log files to look at.
>
> You may also want to have a look at what ntop can do these days - it
> has been a few years since i've looked at it.
>
> But of course this all assumes the traffic is visible to your CentOS
> box. For my sniffer appliance the way to deploy it was that all the
> other NICs except the main one got plugged into a mirror port on the
> switch, which mirrored the particular PC we wanted to sniff. In our
> case this was fine because we only monitored our product which was a
> VOIP appliance we were developing.
>
> Alternately, running this on your router will pick up most of what you
> want - but obviously not local LAN traffic
Well, netflow is the appropriate technology for this:
http://en.wikipedia.org/wiki/Netflow
Unfortunately, I don't know a solution for the thread starters question
out of my head, so this was just for clarifying what we're talking
about... ;)
Timo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkscNM0ACgkQO/2mgkVVV7mcngCaA7oWyotXtnrTxHakYgPdy6Od
yQUAn0UHkw/1xgAqKLtyZST1y5TfigX0
=LzLT
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list